Microsoft Azure default Linux configuration leaks serious remote code execution vulnerabilities

Although Microsoft expressed its deep love for Linux, this has not been well implemented in the Azure cloud. The Wiz security research team recently pointed out that they have discovered a series of serious vulnerabilities in Open Management Infrastructure (OMI) software agents in many popular Azure services. The problem is that when Azure customers set up Linux virtual device services in the cloud, the OMI agent is automatically deployed without their knowledge.

But unless a patch is applied in time, an attacker can use the four vulnerabilities to gain elevated root privileges and execute arbitrary malicious code remotely (such as encrypting files for ransom). To make matters worse, the hacker can infiltrate and gain root access to the remote machine by simply sending a packet with the authentication header removed. If OMI opens ports 5986, 5985, or 1270, the system is more vulnerable to attacks.

It is reported that due to a simple conditional statement programming error, combined with an uninitialized auth structure, any request that lacks an Authorization header will be given root-level permissions with uid=0 and gid=0 by default. Wiz calls the vulnerability OMIGOD and speculates that as many as 65% of Linux deployments on Azure are affected. Fortunately, Microsoft has released a 1.6.8.1 patched version of the OMI software agent, and it is recommended that customers perform the update manually.

Finally, Wiz recommends that users choose whether to allow OMI to listen on the three ports of 5985, 5986, and 1270 as appropriate. If not necessary, please immediately restrict access to these ports to block the CVE-2021-38647 remote code execution (RCE) vulnerability.

Leave a Comment